Google, Apple Pull Trojan-Like ‘Find and Call’ Mobile App From Stores

Google and Apple have pulled an app from their mobile app stores after it was revealed it was sending user contact lists to a remote server and spamming the contacts with messages.

The app, named “Find and Call,” claimed to be an app that helps users organize their address book. However, the app actually takes the user€™s contact list and uploads it to a remote server.

An analysis of the iOS and Android versions of the application by security software company Kaspersky Lab showed it€™s really a Trojan that replicates by the server sending Short Message Service (SMS) texts containing the application€™s URL to all the contacts in the user€™s address book, according to Denis Maslennikov, senior malware analyst with Kaspersky Lab.

When the app launches, the user will be asked to register by entering his or her email address and cell phone number, Maslennikov explained. If the user chooses to €œfind friends in a phone book,€ then the person€™s phone book data will be secretly sent to the remote server.

€œBoth apps are also able to upload the user€™s GPS coordinates to the same server but such [a] €˜feature€™ is not that new for both malicious and legal apps to be honest,€ he blogged. €œSo, what happens next? [Users] will be able to continue using the application, but at the same time the application steals data from the device €¦ which are uploaded to a remote server to be used for SMS spam campaigns. Each phone book entry will receive an SMS spam message offering to click on the URL and download this €˜Find and Call€™ application. It is worth mentioning that the €˜from€™ field contains the user€™s cell phone number. In other words, people will receive an SMS spam message from a trusted source.€

According to a report from the blog Appleinsider.ru, the makers of the application say the situation is due to a bug that is being fixed.

Vanja Svajcer, principal virus researcher at Sophos, wrote that he wouldn€™t necessarily call the application malware, opting instead to refer to it as €œspammy.€

€œIt would probably be more accurate to say that the “Find and Call” app is “spammy”€”as it leaks data all over the place in plain text via http (which means, of course, that the data could be intercepted and sniffed by someone wanting to snoop on you),€ he blogged.

€œOnce the contact details are uploaded from the affected smartphone, there is some server-side code that sends each contact an SMS message with a link to the download location of the app. In this way, the app promotes itself to all of your contacts. That’s pretty ugly behavior, as there are no previous warnings or explanations for the user.€